Application Information Service - The heart of UAC

In this article/blog we will talk about the Application Information Service, which is the core of the Windows User Account Control. The center piece of the modern post-visa security framework.

Introduction

When running an application you may come across a scenario where an application causes a UAC prompt to be presented to the user to get his/her consent to proceed with the execution of an application with elevated privileges. The action is first checked for

For definitions the concepts consult the following:

Concept	Reference Link
Elevated Token	http://securityinternals.blogspot.ae/2014/02/windows-protected-administrative.html
Manifest	http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
User Account Control	http://securityinternals.blogspot.ae/2014/02/the-user-access-control-uac-prompts.html
Consent.exe	http://securityinternals.blogspot.ae/2014/02/the-user-access-control-uac-prompts.html

The Application Information Service (AIS) is at the heart of the User Account Control prompt. Whenever an application requires an elevated token it is referred to the AIS. AIS communicates with consent.exe which decides finds out whether the user gives his consent or not. The control is passed to the application and the binary code of the application gets control of the processor, explorer does not read the manifest, explorer just gives the application control of the processor.

In order to show that the consent prompt is launched by a service (AIS) and not the explorer.exe, we cause a prompt to be displayed and as soon as we return to the normal desktop, with process explorer running, we press the space bar to pause process explorer from updating. In the screenshot below Fig1 we see that svchost.exe calls consent.exe.

Fig1: Who calls consent.exe ? (Click Image to expand)

The svchost.exe is the one that was launched using the ‘–k netsvcs’ switch as shown in the Fig2. This particular svchost.exe is the particular instance that hosts the Application Information Services.

 Fig2: svchost.exe calls consent.exe (Click Image to expand)

When is the Application Information Service started?

It runs under netsvcs. The command is given in the SCM panel when looking up details for the service. It runs with the command ‘C:\WINDOWS\system32\svchost.exe -k netsvcs’ and uses the ‘appinfo.dll’. If we find the appinfo.dll in process explorer it is found to be loaded in a svchost.exe (PID 628 in this example).  As shown in Fig3 below:

Fig3: Who hosts appinfo.dll (AIS ?) (Click Image to expand)

When we look at the properties of process 628 we see that it is the svchost.exe that starts with the ‘netsvcs’ parameter, as shown in the Fig4 below:

 Fig4: svchost hosts appinfo.dll (Click Image to enlarge)

AIS Facilitates the running of interactive applications with additional administrative privileges.  If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.

The shell checks with this service when it launches an application. AIS is the one that reads the manifest and the ‘trustInfo’ xml section that has the requirements for the ‘requestedExecutionLevel’, since AIS is a service it can re-spawn a process with the appropriate execution level. The child is then re-parented and made the child process of the calling application. The process is explained in the diagram Fig4 below:

 Fig4: The process flow of UAC prompt (Click Image to enlarge)

 If the AIS is not running the applications that require an elevated token would not be able to run with an elevated token.

About the Author
 

The User Access Control (UAC) Prompts

This article/blog discusses the behavior of the prompts presented by UAC when an application is requiring administrative access.

The UAC prompt is an important component UAC security control set introduced with Windows Vista to protect users from accidental misconfiguration and from intentional actions being performed by malware.

The UAC prompt shows up in case if actions similar to the following take place

       a.       Installing applications

       b.      System settings are being changed

       c.       The application has requested a privilege escalation in its application manifest. (To read more about application manifests visit this page: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html )

Controlling the UAC prompting behavior

The prompts can be controlled from Control panel -> User Account -> User Account -> Change User Accountr Control Settings and they can also be changed via the Group Policy editor, as shown below in figure Fig1

 Fig1: The Control panel app to control behavior of the UAC prompts

Types of UAC prompts

There are different UAC prompts depending on the type of activity being carried out and by who i.e. the trust level of the application being run or the application requesting elevated access.

The credentials prompt

1 - In the user is not signed in with administrative account the prompt will ask him for a username and password for an account that has administrative credentials on the system as shown in Fig2.

Fig2: The UAC prompt when the signed in user is not an administrator
Click image to enlarge

The consent prompts

When an application executes under the explorer.exe shell the following sequence takes place
a. The shell calls 'ShellExecute' to execute the application.
b. The shell checks with the Application Information Service (AIS) to see what conditions are needed for the application to execute.
c. The AIC checks the application's manifest to see if the application requires elevation. For more information about manifests go to the article on manifests: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
d. If the application requires elevation consent.exe (C:\Windows\System32\consent.exe) is called.
e. consent.exe prompts the user for their consent.
f. If the consent is provided the AIS creates a process with an elevated token and 'reparents' the the newly created process, making it a child of the explorer.exe process that launched it in the first place.
g. If consent.exe does not provide the cosent then the application will not run.

The above sequence is illustrated in the image Fig3 below:

Fig3: Role of consent.exe in the UAC command prompt
Click to enlarge image

2 - If a Windows Signed component needs to carry out an administrative action the shield with blue and yellow quarters will come up. This is the case where the user has an administrative account. The prompt is shown in Fig4

Fig4: The UAC prompt when a Windows Signed application requires administrative access
Click image to enlarge

 

3 - If the application is not Windows native signed by known publisher then the prompt is as shown in Fig4. The non-Windows publisher can be Microsoft, Adobe or Oracle. Also to emphasize Microsoft signed applications are not trusted like Windows signed applications.

Fig4: The UAC prompt when an application by a non-Windows but known
publisher requires administrative access
Click image to enlarge

4 - If the publisher is unidentified then the prompt is as shown in the the figure Fig5.

Fig5: The UAC prompt when an application signed by an unidentified publisher
requires administrative access
Click image to enlarge

5 - If the application requiring administrative access is from an explicity blocked or untrusted publisher then the prompt is as shown in the figure Fig6.

Fig6: The UAC propmt when an application signed by an explicitly blocked
or unknown publisher is requiring administrative access
Click image to enlarge

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.

He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.